Implementing Cisco IOS Network Security (IINS) is a Cisco-authorized, self-paced learning tool for CCNA® Security foundation learning. This book provides you with the knowledge needed to secure Cisco® routers and switches and their associated networks. By reading this book, you will gain a thorough understanding of how to troubleshoot and monitor network devices to maintain integrity, confidentiality, and availability of data and devices, as well as the technologies that Cisco uses in its security infrastructure.
This book focuses on the necessity of a comprehensive security policy and how it affects the posture of the network. You will learn how to perform basic tasks to secure a small branch type office network using Cisco IOS® security features available through the Cisco Router and Security Device Manager (SDM) web-based graphical user interface (GUI) and through the command-line interface (CLI) on Cisco routers and switches. The author also provides, when appropriate, parallels with Cisco ASA appliances.
Whether you are preparing for CCNA Security certification or simply want to gain a better understanding of Cisco IOS security fundamentals, you will benefit from the information provided in this book.
Implementing Cisco IOS Network Security (IINS) is part of a recommended learning path from Cisco that includes simulation and hands-on training from authorized Cisco Learning Partners and self-study products from Cisco Press. To find out more about instructor-led training, e-learning, and hands-on instruction offered by authorized Cisco Learning Partners worldwide, please visit www.cisco.com/go/authorizedtraining.
- Develop a comprehensive network security policy to counter threats against information security
- Configure routers on the network perimeter with Cisco IOS Software security features
- Configure firewall features including ACLs and Cisco IOS zone-based policy firewalls to perform basic security operations on a network
- Configure site-to-site VPNs using Cisco IOS features
- Configure IPS on Cisco network routers
- Configure LAN devices to control access, resist attacks, shield other network devices and systems, and protect the integrity and confidentiality of network traffic
This volume is in the Certification Self-Study Series offered by Cisco Press®. Books in this series provide officially developed self-study solutions to help networking professionals understand technology implementations and prepare for the Cisco Career Certifications examinations.
Table of Contents:
&n> Chapter 1 Introduction to Network Security Principles
Examining Network Security Fundamentals
The Need for Network Security
Network Security Objectives
Data Classification
Security Controls
Response to a Security Breach
Laws and Ethics
Examining Network Attack Methodologies
Adversaries, Motivations, and Classes of Attack
Classes of Attack and Methodology
The Principles of Defense in Depth
IP Spoofing Attacks
Confidentiality Attacks
Integrity Attacks
Availability Attacks
Best Practices to Defeat Network Attacks
Examining Operations Security
Secure Network Life Cycle Management
Principles of Operations Security
Network Security Testing
Disaster Recovery and Business Continuity Planning
Understanding and Developing a Comprehensive Network Security Policy
Security Policy Overview
Security Policy Components
Standards, Guidelines, and Procedures
Security Policy Roles and Responsibilities
Risk Analysis and Management
Principles of Secure Network Design
Security Awareness
Cisco Self-Defending Networks
Changing Threats and Challenges
Building a Cisco Self-Defending Network
Cisco Integrated Security Portfolio
Summary
References
Review Questions
Chapter 2 Perimeter Security
Securing Administrative Access to Cisco Routers
General Router Security Guidelines
Introduction to the Cisco Integrated Services Router Family
Configuring Secure Administration Access
Configuring Multiple Privilege Levels
Configuring Role-Based Command-Line Interface Access
Securing the Cisco IOS Image and Configuration Files
Configuring Enhanced Support for Virtual Logins
Delays Between Successive Login Attempts
Login Shutdown if DoS Attacks Are Suspected
Generation of System Logging Messages for Login Detection
Configuring Banner Messages
Introducing Cisco SDM
Supporting Cisco SDM and Cisco SDM Express
Launching Cisco SDM Express
Launching Cisco SDM
Navigating the Cisco SDM Interface
Cisco SDM Wizards in Configure Mode
Configuring AAA on a Cisco Router Using the Local Database
Authentication, Authorization, and Accounting
Introduction to AAA for Cisco Routers
Using Local Services to Authenticate Router Access
Configuring AAA on a Cisco Router to Use Cisco Secure ACS
Cisco Secure ACS Overview
TACACS+ and RADIUS Protocols
Installing Cisco Secure ACS for Windows
Configuring the Server
Configuring TACACS+ Support on a Cisco Router
Troubleshooting TACACS+
Implementing Secure Management and Reporting
Planning Considerations for Secure Management and Reporting
Secure Management and Reporting Architecture
Using Syslog Logging for Network Security
Using Logs to Monitor Network Security
Using SNMP to Manage Network Devices
Configuring an SSH Daemon for Secure Management and Reporting
Enabling Time Features
Locking Down the Router
Vulnerable Router Services and Interfaces
Management Service Vulnerabilities
Performing a Security Audit
Cisco AutoSecure
Chapter Summary
References
Review Questions
Chapter 3 Network Security Using Cisco IOS Firewalls
Introducing Firewall Technologies
Firewall Fundamentals
Firewalls in a Layered Defense Strategy
Static Packet-Filtering Firewalls
Application Layer Gateways
Dynamic or Stateful Packet-Filtering Firewalls
Other Types of Firewalls
Cisco Family of Firewalls
Developing an Effective Firewall Policy
ACL Fundamentals
ACL Wildcard Masking
Using ACLs to Control Traffic
ACL Considerations
Configuring ACLs Using SDM
Using ACLs to Permit and Deny Network Services
Configuring a Cisco IOS Zone-Based Policy Firewall
Zone-Based Policy Firewall Overview
Configuring Zone-Based Policy Firewalls Using the Basic Firewall Wizard
Manually Configuring Zone-Based Policy Firewalls Using Cisco SDM
Monitoring a Zone-Based-Firewall
Summary
References
Review Questions
Chapter 4 Fundamentals of Cryptography
Examining Cryptographic Services
Cryptology Overview
Symmetric and Asymmetric Encryption Algorithms
Block and Stream Ciphers
Encryption Algorithm Selection
Cryptographic Hashes
Key Management
Introducing SSL VPNs
Examining Symmetric Encryption
Symmetric Encryption Overview
DES: Features and Functions
3DES: Features and Functions
AES: Features and Functions
SEAL: Features and Functions
Rivest Ciphers: Features and Functions
Examining Cryptographic Hashes and Digital Signatures
Overview of Hash Algorithms
Overview of Hashed Message Authentication Codes
MD5: Features and Functions
SHA-1: Features and Functions
Overview of Digital Signatures
DSS: Features and Functions
Examining Asymmetric Encryption and PKI
Asymmetric Encryption Overview
RSA: Features and Functions
DH: Features and Functions
PKI Definitions and Algorithms
PKI Standards
Certificate Authorities
Summary
References
Review Questions
Chapter 5 Site-to-Site VPNs
VPN Overview
VPN Types
Cisco VPN Product Family
Introducing IPsec
Encryption Algorithms
Diffie-Hellman Exchange
Data Integrity
Authentication
IPsec Advantages
IPsec Protocol Framework
Authentication Header
Encapsulating Security Payload
Tunnel Mode Versus Transport Mode
IPsec Framework
IKE Protocol
IKE Phase 1
IKE Phase 1: Example
IKE Phase 2
Building a Site-to-Site IPsec VPN
Site-to-Site IPsec VPN Operations
Configuring IPsec
Verifying the IPsec Configuration
Configuring IPsec on a Site-to-Site VPN Using Cisco SDM
Introducing the Cisco SDM VPN Wizard Interface
Site-to-Site VPN Components
Using the Cisco SDM Wizards to Configure Site-to-Site VPNs
Completing the Configuration
Summary
References
Review Questions
Chapter 6 Network Security Using Cisco IOS IPS
Introducing IDS and IPS
Types of IDS and IPS Systems
IPS Actions
Event Monitoring and Management
Cisco IPS Management Software
Cisco Router and Security Device Manager
Cisco Security Monitoring, Analysis, and Response System
Cisco IDS Event Viewer
Cisco Security Manager
Cisco IPS Device Manager
Host and Network IPS
Host-Based IPS
Network-Based IPS
Comparing HIPS and Network IPS
Introducing Cisco IPS Appliances
Cisco IPS 4200 Series Sensors
Cisco ASA AIP SSM
Cisco Catalyst 6500 Series IDSM-2
Cisco IPS AIM
Signatures and Signature Engines
Examining Signature Micro-Engines
Signature Alarms
IPS Best Practices
Configuring Cisco IOS IPS
Cisco IOS IPS Features
Configuring Cisco IOS IPS Using Cisco SDM
Configuring Cisco IOS IPS Using CLI
Configuring IPS Signatures
Monitoring IOS IPS
Verifying IPS Operation
Summary
References
Review Questions
Chapter 7 LAN, SAN, Voice, and Endpoint Security Overview
Examining Endpoint Security
Operating System Vulnerabilities
Application Vulnerabilities
Buffer Overflows
IronPort
Cisco NAC Products
Cisco Security Agent
Endpoint Security Best Practices
Examining SAN Security
Defining SANs
SAN Fundamentals
SAN Security Scope
Examining Voice Security
VoIP Fundamentals
Voice Security Threats
Defending Against VoIP Hacking
Mitigating Layer 2 Attacks
Basic Switch Operation
Mitigating VLAN Attacks
Preventing Spanning Tree Protocol Manipulation
CAM Table Overflow Attacks
MAC Address Spoofing Attacks
Using Port Security
Additional Switch Security Features
Layer 2 Best Practices
Summary
References
Review Questions
Appendix Answers to Chapter Review Questions
Index
About the Author :
Catherine Paquet is a practitioner in the field of internetworking, network security, and security financials. She has authored or contributed to eight books thus far with Cisco Press. Catherine has in-depth knowledge of security systems, remote access, and routing technology. She is a Cisco Certified Security Professional (CCSP) and a Cisco Certified Network Professional (CCNP). Catherine is also a certified Cisco instructor with Cisco’s largest training partner, Global Knowledge, Inc. She also works on IT security projects for different organizations on a part-time basis. Following her university graduation from the Collège Militaire Royal de St-Jean (Canada), she worked as a system analyst, LAN manager, MAN manager, and eventually as a WAN manager. In 1994, she received a master’s degree in business administration (MBA) with a specialty in management information systems (MIS) from York University. Recently, she has been presenting a seminar on behalf of Cisco Systems (Emerging Markets) on the topic of the business case for network security in 22 countries. In 2002 and 2003, Catherine volunteered with the U.N. mission in Kabul, Afghanistan, to train Afghan public servants in the area of networking. Catherine lives in Toronto with her husband. They have two children, who are both attending university.
